Passwords and Security Part 2

Last month, we looked at why it’s important to use a different password on every website and your homework was to sort out all those post-its and get your existing passwords organised in an address book – A for Amazon, G for Gmail but not everything under C for Computer…

So let’s look at what makes a good password. Which of these is harder for a hacker to crack:

EDe5u2&kvS

StapleBananaHamster

Most people instinctively opt for the first: it’s hard to remember, a weird mix of upper- and lower-case, plus there’s numbers and symbols. It must be more secure, surely?

No.

We talked last month about ‘hashed passwords’ – the magic numbers that your passwords are turned into and that are stolen when a website is hacked. The hackers have computers running round the clock, trying out random strings of characters and working out the number that translates to. It’s believed that, at the moment, any password with fewer than 12 or 13 characters has already been calculated.

One of my favourite websites – I should get out more – is www.howsecureismypassword.net

There, you can enter a password and see how long it would take one hacker with one computer to crack it. I’ll save you the trouble… EDe5u2&kvS would take about six years. Not bad, but remember that the hackers have already been working at this for years with more than one computer so, effectively, that’s already been guessed.

StapleBananaHamster? 318 Trillion Years. Staple£Banana24Hamster? 252 Sextillion years. That’s 252 followed by 21 zeroes.

These numbers are estimates and some combinations of words will fare less well, e.g. Manchester followed by United, but the most important thing is length. So two or three unrelated words, upper- and lower-case, numbers (family birthdays?) in between, maybe a symbol, and you’ve got a reasonable password. Looking round my palatial office in Oapc Towers, with magazines, books, boxes of stuff, Useful24Panasonic!Carpet comes out to one octillion years, which is secure enough.

But how to remember these very secure passwords? You don’t have to. Your computer will do it for you and fill it in again when you visit the website. Some people worry that this weakens their security and it does. But the chance of an easy to guess password being stolen in a website hack is much greater than the chance of the passwords being stolen from a correctly updated home computer, and using the same password everywhere means that only has to happen once. But don’t forget to update your Password Book whenever you change a password, because if your computer should suffer a disk failure, those passwords are very likely gone.

I should say at this point that you should only store passwords on your computer if you can trust everyone who accesses it. If you share it with kids or significant others whom you don’t want to automatically access your credit cards, a separate login for each of you and a master password to keep things secure seems like a good idea.

More secure and, in these days of using a PC, phone or tablet to access the same information in different places, more convenient is a password manager program, such as LastPass or Keepass. These, protected by a very secure password, will generate passwords automatically and fill them in again as required. It means you can routinely use a 20 or 30 character password like Z2$TXec3zK4PasmvQlTyE3d6Q$8Um1 and not have to write it down or remember it. They can also work across devices, so you can save a password on your PC and fill it in on your phone.

Naturally, these services make a very tempting target for villains but I still use one because the alternative is inevitably not so secure.

So, now that you’ve got all your passwords organised in your new address book, it’s time to start visiting websites and changing the old short passwords for nice, long, secure ones. While you’re there, make sure that the contact and security information is up-to-date. These days, most websites use a mobile phone number or an email address to send a code which allows them to confirm it’s you and so allows you to easily change your password.

One of my favourite ways of spending time with customers is trying to persuade a website to send a way of resetting a password, when the two alternatives are an email address that hasn’t existed since 2006 and a mobile phone number that was changed nine years ago, belonging to the customer’s daughter…

Next month, I’ll look at a way of making your log-ins even more secure, that many of you may already be using.

This entry was posted in Security. Bookmark the permalink. Both comments and trackbacks are currently closed.